Uncovering Qilin Attack Methods Exposed Through Multiple Cases

    Monday, October 27, 2025 In: Threat Research Print

    Date: 10/27/2025

    Severity: High

    Summary

    In the latter half of 2025, the Qilin ransomware group has continued leaking victim data at over 40 cases per month, ranking among the most active global threat actors. Manufacturing remains the hardest-hit sector, followed by professional, scientific, and wholesale trade industries. Scripts used in attacks contain character encodings suggesting origins in Eastern Europe or a Russian-speaking region. Investigators identified the open-source tool Cyberduck as a key method for data exfiltration, commonly abused in Qilin incidents. Logs also revealed use of notepad.exe and mspaint.exe to access sensitive data, with two encryptors—encryptor_1.exe spreading via PsExec and encryptor_2.exe targeting shared drives.

    Indicators of Compromise (IOC) List

    Domains\URLs : 

    regsvchst.com

    holapor67.top

    Email Address : 

    mimikatzlogs@anti.pm

    mimikatz@anti.pm

    IP Address : 

    85.239.34.91

    86.106.85.36

    Hash : 

    8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d

    dbe9ed8e8e8cdff3670e7205cb9f11b5a0fa9d1983a6c6bab67527d8775c4ffd

    38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18

    a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591

    e129dd5cc80f39b24db489df999c847335d169910bd966814d2f81b0b1bbc365

    dd29138bf369863c33402a3fc995458ab5fc015a13a9378022131ab31d940c9f

    d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616

    912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9

    6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc

    e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e

    792182b7c5a56e5ccefd32073dc374e66c6a4e7981075e3804f49a276878e0fb

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query  1:

    domainname like "holapor67.top" or url like "holapor67.top" or siteurl like "holapor67.top" or domainname like "regsvchst.com" or url like "regsvchst.com" or siteurl like "regsvchst.com"

    Detection Query 2 :

    sender IN ("mimikatzlogs@anti.pm","mimikatz@anti.pm") OR recipients IN ("mimikatzlogs@anti.pm","mimikatz@anti.pm")

    Detection Query  3:

    dstipaddress IN ("86.106.85.36","85.239.34.91") or srcipaddress IN ("86.106.85.36","85.239.34.91")

    Detection Query  :

    sha256hash IN ("792182b7c5a56e5ccefd32073dc374e66c6a4e7981075e3804f49a276878e0fb","e705f69afd97f343f3c1f2bc6027d30935a0bfd29ff025c563f6f8c1f9a7478e","e129dd5cc80f39b24db489df999c847335d169910bd966814d2f81b0b1bbc365","6ce228240458563d73c1c3cbbd04ef15cb7c5badacc78ce331848f5431b406cc","8fe746dd277e644fa0337db3394f0eadfafe57df029e13df9feef25c536adf4d","dbe9ed8e8e8cdff3670e7205cb9f11b5a0fa9d1983a6c6bab67527d8775c4ffd","38ddde36929a2ddf13b1844973550072c41004187eaa2456f86e20aa93036b18","a068f595472c4f94baf1c2a8fba6831a327514e24ec4b38e1eee2cf1646b1591","dd29138bf369863c33402a3fc995458ab5fc015a13a9378022131ab31d940c9f","d1347f4dccebf2fcd672dcef9c66c91b9d3f12b9881e3e390626927718fda616","912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9")

    Reference:    

    https://blog.talosintelligence.com/uncovering-qilin-attack-methods-exposed-through-multiple-cases/


    Tags

    MalwareThreat ActorRansomwareQilinCyberduckExfiltrationEastern EuropeRussia

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.